NOTE: this page is for archival only, see the note at the end of the page.

Wireless Subsystem

Following are some details about Linux Wireless 802.11 Subsystem

All stations must authenticate and associate and with the Access Point prior to communicating.

Stations usually perform scanning prior to authentication and association in order to get details about the Access Point (like mac address, essid, and more).

Scanning is done thus:

ifconfig wlan0 up iwlist wlan0 scan

Scanning is triggered by issuing SIOCSIWSCAN ioctl (include/linux/wireless.h)

iwlist (and iwconfig) is from wireless-tools package.

Eventually, scanning starts by calling ieee80211_start_scan()

(net/mac80211/scan.c)

Active Scanning is performed by sending Probe Requests on all the channels which are supported by the station

Open-system authentication (WLAN_AUTH_OPEN) is the only mandatory authentication method required by 802.11.

(WLAN_AUTH_OPEN is defined in include/linux/ieee80211.h)

● At a given moment, a station may be associated with no more than one AP. ● A Station (“STA”) can select a BSS and authenticate and associate to it.

● In Ad-Hoc : authentication is not defined.

● An Acess Point will not receive any data frames from a station before it it is associated with the AP.

● An Access Point which receive an association request will check whether the mobile station parameters match the Access point parameters.

– These parameters are SSID, Supported Rates and capability information.

● When a station associates to an Access Point, it gets an ASSOCIATION ID (AID) in the range 1-2007.

● Trying unsuccessfully to associate more than 3 times results with this message in the kernel log:

"association with AP apMacAddress timed out"

(IEEE80211_ASSOC_MAX_TRIES is the number of max tries to associate, see

net/mac80211/mlme.c)

Hostapd

hostapd is a user space daemon implementing access point functionality (and authentication servers). It supports Linux and FreeBSD.

http://hostap.epitest.fi/hostapd/

● Developed by Jouni Malinen

● hostapd.conf is the configuration file.

● Certain devices, which support Master Mode, can be operated as Access Points by running the hostapd daemon. ● Hostapd implements part of the MLME AP code which is not in the kernel ● and probably will not be in the near future. ● For example: handling association requests which are received from wireless clients.

Hostapd manages: ● Association/Disassociation requests. ● Authentication/deauthentication requests.

Power save mode

There are three types of IEEE80211 packets: Management, control and data.

(These correspond to IEEE80211_FTYPE_MGMT,

IEEE80211_FTYPE_CTL and IEEE80211_FTYPE_DATA In the mac80211 stack).

● Control packets include RTS (Request to Send), CTS (Clear to Send) and ACK packets.

● Management packets are used for Authentication and Assoication.

● Mobile devices are usually battery powered most of the time. ● A station may be in one of two different modes:

  • – Awake (fully powered) – Asleep (also termed “dozed” in the specs)

● Access points never enters power save mode and does not transmit Null packets. ● In power save mode, the station is not able to transmit or receive and consumes very low power.

  • In order to sniff wireless traffic in Linux with wireshark, you can do this:

iwconfig wlan0 mode monitor ifconfig wlan0 up

And then start wireshark and select the wlan0 interface.

You can know the channel number while sniffing by looking at the radiotap header in the sniffer output; channel frequency translates to a channel number (1 to 1 correspondence.) Moreover, the channel number appears in square brackets. Like: – channel frequency 2437 [BG 6]

You can know the mac address of your wireless nic by:

cat /sys/class/ieee80211/phy*/macaddress

● A station send a null packet by calling ieee80211_send_nullfunc()

(net/mac80211/mlme.c)

  • The PM bit in the frame control of this packet is set. (IEEE80211_FCTL_PM bit)

● Each access point has an array of skbs for buffering unicast packets from the stations which enter power save mode.

● It is called ps_tx_buf (in struct sta_info; see net/mac80211/sta_info.h)

ps_tx_buf can buffer up to 64 skbs. (STA_MAX_TX_BUFFER=64, in net/mac80211/sta_info.h)

In case the buffer is filled, old skbs will be dropped.

● When a station enters PS mode it turns off its RF. From time to time it turns the RF on, but only for receiving beacons.

● An Access Point sends beacon frames periodically.

● Each beacon has a TIM (Traffic Indication Map) field.

  • 80211.n

80211.n started with the High Throughput Study Group in about 2002.

In 802.11, each packet should be acknowledged. In 802.11nm we grouping packets in a block and acknowledging this block instead acknowledging each packet separately. This improves performance. Grouping packets in a block in this way is called "packet aggregation" in 802.11n terminology.

  • There are two forms of aggregation:

● A-MPDU (The more common form)

A-MPDU aggregation requires the use of block acknowledgement or BlockAck, which was introduced in 802.11e and has been optimized in 802.11n.

802.11e is the quality-of-service extensions amendment.

The 802.11e amendment deals with QoS; it introduced four queues for different types of traffic: voice traffic, video traffic, best-effort traffic and background traffic. The Linux implementation of 802.11e uses multiqueues. Traffic in higher priority queue is transmitted before traffic in a lower priority queue.

● A-MSDU

Packet aggregation

● There are two sides to a block ack session: originator and recipient. Each block session has a different TID (traffic identifier).

● The originator starts the block acknowledge session by calling ieee80211_start_tx_ba_session() (net/mac80211/agg-tx.c)

ieee80211_tx_ba_session_handle_start() is a callback of ieee80211_start_tx_ba_session(). In this callback we send an ADDBA (add Block Acknowledgment) request packet, by invoking ieee80211_send_addba_request() method (Also in net/mac80211/agg-tx.c)

ieee80211_send_addba_request() method builds a management action packet

(The sub type is action, IEEE80211_STYPE_ACTION).

The response to the ADDBA request should be received within 1 HZ, which is one millisecond in x86_64 machines (ADDBA_RESP_INTERVAL, defined in net-next/net/mac80211/sta_info.h)

In case we do not get a response in time, the sta_addba_resp_timer_expired() will stop the BA session by calling ieee80211_stop_tx_ba_session().

When the other side (the recipient) receives the ADDBA request, it first sends an ACK. Then it processes the ADDBA request by calling ieee80211_process_addba_request(); (net/mac80211/agg-rx.c)

if everything is ok, it sets the aggregation state of this machine to operational (HT_AGG_STATE_OPERATIONAL), and sends an ADDBA Response by calling ieee80211_send_addba_resp().

After a session was started, a data block, containing multiple MPDU packets is sent. Consequently, the originator sends a Block Ack Request (BAR) packet by calling ieee80211_send_bar(). (net/mac80211/agg-tx.c)

The BAR is a control packet with Block Ack Request subtype (IEEE80211_STYPE_BACK_REQ).

The bar packet includes the SSN (start sequence number), which is the sequence number of the oldest MSDU in the block which should be acknowledged.

The BAR (HT Block Ack Request) is defined in include/linux/ieee80211.h.

Its start_seq_num member is initialized to the proper SSN.

There are two types of Block Ack: Immediate Block Ack and Delayed Block Ack.

Open Firmware

The Atheros 802.11n USB chipset (AR9170) has open firmware;

see http://www.linuxwireless.org/en/users/Drivers/ar9170.fw


This is a static dump of the wiki, taken after locking it in January 2015. The new wiki is at https://wireless.wiki.kernel.org/.
versions of this page: last, v4, v3, v2, v1